Google Authenticator

The purpose of this article is to explain the concept of two-factor authentication and its application in credit card fraud protection.

In order to minimize the possibility of online payment fraud, various techniques are used.

Credit Card Fraud and PCI-compliance

Originally, to prevent manipulations with customer information during credit card processing, several Payment Card Industry (PCI) standards were introduced. PCI-compliance is a set of requirements, imposed upon all credit card payment industry players, dealing with credit card data. The requirements are intended to protect customer’s credit card data from being intercepted. More detailed information can be found in respective article on PCI-compliance.

A lot of credit card fraud is being committed because credentials of a given user are getting compromised. Originally user information was often stolen, because inadequate measures were taken when storing usernames and passwords. Also, few adequate encryption mechanisms were available. Later on, stronger encryption techniques were introduced and best practices for user credentials storage were defined. Nevertheless, quite often people used same passwords in different systems, thus if an e-mail of such a person was hacked, the hacker could get access to the person’s bank account. Some other people used simple passwords, which could easily be guessed or hacked. Consequently, passwords were still often compromised.

To reduce fraud due to compromised user credentials, two-factor authentication mechanism was introduced.

Two-factor Authentication for Credit Card Systems

Two-factor authentication process involves two pieces of information: user’s password (so-called user factor) and an additional key (value or token), which is generated by a device (either a device, specifically designed for the purpose, or a mobile phone with appropriate app). Even if username and password are compromised or stolen, in order to access the system, the hacker would still require the possession of the key-generating device.

Traditionally, the implementation of two-factor authentication system was complicated, as it required a device specifically designed to accomplish the task. However, today, there is a simple way to implement the approach rather cheaply, using Google Authenticator app.

Basically, under two-factor authentication, there is a secret key, embedded or injected in the token-generating device. Using that key, in combination with time-based hashing algorithm, the device can generate a temporary token needed to authenticate the user. The system, where the user attempts to log in, is also aware of the key and the algorithm, and is able to generate a temporary value. Consequently, when the two values match at the time of authentication, the access is granted.

It is possible to implement the token-generating logic using the Google Authenticator app.

You can find additional detailed information on Google Authenticator here.

On logon screen additional field can be added for token input. During logon a customer will need to enter username, password, and generate the additional authentication factor through his or her phone.

The mechanism can be also used to secure virtual terminals, payment portals, and to handle e-wallet payments, as well as payments with a card which is stored on file with the processor. Also, when an online transaction is processed the token (two-factor authentication) can be used for additional customer identity verification.